We are pleased to announce the updates for ColdFusion (2018 release), ColdFusion (2016 release), and ColdFusion 11. These updates address a few security issues, which are mentioned in the security bulletin APSB18-33, upgrade the Tomcat engine and OpenSSL jars for PDFgServlet.

ColdFusion (2018 release) Update 1

In addition to fixing the vulnerabilities mentioned in the security bulletin, this update contains bug fixes, an upgraded Tomcat (ver 9.0.10), and upgraded OpenSSL upgrade to 1.0.2p for PDFgServlet.

For more information on the update and installation instructions, see this tech note.

ColdFusion (2016 release) Update 7

In addition to fixing the vulnerabilities mentioned in the security bulletin, this update contains bug fixes, an upgraded Tomcat (ver 8.5.32), and upgraded OpenSSL to 1.0.2p for PDFgServlet.

For the security fixes to be effective, ColdFusion (2016 release) must be on JDK 8u121 or higher.

For more information on the update and installation instructions, see this tech note.

For a list of previous ColdFusion (2016 release) updates, see Updates.

ColdFusion 11 Update 15

In addition to fixing the vulnerabilities mentioned in the security bulletin, this update contains bug fixes, an upgraded Tomcat (ver 7.0.90), and upgraded OpenSSL to 1.0.2p for PDFgServlet.

For the security fixes to be effective, ColdFusion 11 must be on JDK 7u131 or JDK 8u121 or higher.

For more information on the update and installation instructions, see this tech note.

Hi Saurav Ghosh, For each of the successive releases ColdFusion 11 Update 15, ColdFusion (2016 release) Update 7 and ColdFusion (2018 release) Update 1, you write, “upgraded OpenSSL to 1.0.2p”. This is confusing, because the version number stays the same. Just to be clear, has there been an upgrade of OpenSSL, say, to 1.1.1?

Jim, I’d bet that’s because of a configuration problem with CF. See if you or someone changed the “settings” page value for “default script src”. If so, the problem is that the built-in web server you’re using for CF does not know about that change. You could change it back (to the default in CF2016 of cf_scripts), and then the update feature will work. It’s leveraging one of those CF UI tags that creates the accordion.

But then if someone had also changed your external web server (IIS or Apache) to use that differently named scriptsrc value, then your own code using such UI tags would fail until you changed back the CF admin.

Obviously getting the built-in web server to use whatever value you have set for the scriptsrc would be best, but that’s not easily communicated here. (I need to do a blog post on this mess, and understanding and resolving it.)

Certainly if the box you’re working on is not prod, just change the default scriptsrc value back to cf_scripts, run the update, and then set it back.

Or you could download the update (google coldfusion 2016 updates to get the page that lists the updates), and download the jar you want, and then run the update from the command line rather than from the CF Admin. The Adobe docs talk about how to run the jar from the command line, or I have a blog post with details on that.

Let us know if this gets you going. And Adobe, if you see this, please have CF better handle changes to the default scriptsrc by having it setup the built-in web server to know about it, for use by the CF Admin update feature.

Anyone else have an issue with CF 11 updates between 14 and 15? I can see all 15 updates – but the normally expandable accordions where you usually see the update details – none of those will expand, so I can’t update anything.

Ryan, did you mean “out sites” or “our sites”? If the former, do you mean by way of cfhttp or CF scheduled tasks, perhaps?

There would seem nothing about hotfix 7 that would seem related to that. Can you clarify what you were on before hotfix 7? Also, have you checked the update’s log (the long-named one in the folder for the update under your CF hf-updates folder)? For more, see my blog post on this:

Also, are you sure you didn’t do something else? It could be that since CF was restarted as a part of the update, perhaps some other change was made (in CF or its jvm config) that didn’t take effect until the CF restart. In that case, the update itself may have nothing to do with the problem.